Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does OpenID work?

Tags:

openid

Can someone help me understand how OpenID works? I'm interested in the following answers:

  1. Do you still have to store user ids and passwords if using OpenId?
  2. How does my application create a new session when a user logs in?
  3. When users log out of the application do I need to do anything other than clear their session data? Do I need to inform the openId server?
like image 683
Mohamad Avatar asked Nov 10 '10 17:11

Mohamad


2 Answers

I recently made an openid authentication system this is how it works.

login:

  1. User puts in openid url (not necessarily unique),
  2. Openid provider verifies and provides a unique openid url, on success.
  3. Put this url in the session.

authenticate request:

there is a table that maps openid url to user.

for each request:

  1. Look for openid url in the session
  2. If exists, lookup user record and attach it to the request
  3. Process the request.

Do you still have to store userIDs and passwords if using openId?

userIDs yes, passwords no (unless you provide other ways to login except openid)

How does my application find out and create a new session when someone logs in?

Sessions are handled as normal, sessions are for authenticated and unauthenticated users.

When I use logs out of my own application, do I need to do anything more than just clear their session from my application? (Do I need to inform the openId server?)

Nope.

like image 62
dan_waterworth Avatar answered Oct 16 '22 16:10

dan_waterworth


My understanding is the following:

  1. OpenId allows users to log in in a decentralized manner. Which means the the user's login credentials are handled by one site, the provider

  2. Your system will interact with the provider to determine if a user is who they say they are. If they pass that check, your system logs them in.

  3. You still need to store some user information because the details of how they can use your system must be stored within your system.

So, if Google is an open id provider, SO can verify that I logged into google and am who I say I am. SO then says, great, this user is hvgotcodes in our system and gives me privileges that make sense for who I am in SO.

In answer to your specific question about logout, yes, you still log the user into your system after the open id provider verifies the users credentials, and hence you can handle their log out status from your own system.

like image 3
hvgotcodes Avatar answered Oct 16 '22 15:10

hvgotcodes